From 92ed3b8bd20c3b5f7dc898ff4e3ab8fc2b04f1fe Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 8 Mar 2023 16:49:44 -0500 Subject: [PATCH 01/23] First draft --- docs/osquery/alerts-run-osquery.asciidoc | 3 +++ .../osquery/invest-guide-run-osquery.asciidoc | 3 +++ .../osquery-placeholder-fields.asciidoc | 25 +++++++++++++++++++ docs/osquery/osquery-response-action.asciidoc | 3 +++ 4 files changed, 34 insertions(+) create mode 100644 docs/osquery/osquery-placeholder-fields.asciidoc diff --git a/docs/osquery/alerts-run-osquery.asciidoc b/docs/osquery/alerts-run-osquery.asciidoc index 3b226e4135..28e9ba6b35 100644 --- a/docs/osquery/alerts-run-osquery.asciidoc +++ b/docs/osquery/alerts-run-osquery.asciidoc @@ -23,6 +23,9 @@ NOTE: The host associated with the alert is automatically selected. You can spec . Specify the query or pack to run: ** *Query*: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query. Mapping ECS fields is optional. ++ +TIP: Use <> to dynamically add existing alert data to your query. + ** *Pack*: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. + TIP: Refer to {kibana-ref}/osquery.html#osquery-prebuilt-packs-queries[prebuilt packs] to learn about using and managing Elastic prebuilt packs. diff --git a/docs/osquery/invest-guide-run-osquery.asciidoc b/docs/osquery/invest-guide-run-osquery.asciidoc index 8a62a6cdea..1580646e0c 100644 --- a/docs/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/osquery/invest-guide-run-osquery.asciidoc @@ -24,6 +24,9 @@ NOTE: You can only add Osquery to investigation guides for custom rules because . Scroll down to the Investigation guide section. In the toolbar, click the *Osquery* button (image:images/osquery-button.png[Click the Osquery button,20,20]). .. Add a descriptive label for the query; for example, `Search for executables`. .. Select a saved query or enter a new one. ++ +TIP: Use <> to dynamically add existing alert data to your query. + .. Expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional). + [role="screenshot"] diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc new file mode 100644 index 0000000000..4872187b2b --- /dev/null +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -0,0 +1,25 @@ +[[placeholder-fields-osquery]] +== Use placeholder fields in Osquery queries + +Use placeholder fields to dynamically inject existing alert and event data into Osquery queries. For example, TBD + +Placeholder fields use http://mustache.github.io/[mustache syntax] (`{{}}`) and can be used in: + +- <> +- <> +- <> + +[[pf-invest-guide-osquery]] +=== Use placeholder fields in Investigation Guides + +You can add placeholder fields to Osquery queries within an <> when creating or editing a rule. Make sure to run the Investigation Guide from alerts that are generated by the rule and not the rule itself. + +[[pf-osq-response-action-osquery]] +=== Use placeholder fields in Osquery Response Actions + +TBD + +[[pf-live-queries-osquery]] +=== Use placeholder fields in live Osquery queries + +You can use placeholder fields in live queries that you are running from an alert or event. \ No newline at end of file diff --git a/docs/osquery/osquery-response-action.asciidoc b/docs/osquery/osquery-response-action.asciidoc index c2dfdbbd0a..c083ae0198 100644 --- a/docs/osquery/osquery-response-action.asciidoc +++ b/docs/osquery/osquery-response-action.asciidoc @@ -27,6 +27,9 @@ You can add Osquery Response Actions to new or existing custom query rules. Quer ** *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, click the *osquery* icon under the Response Actions section. . Specify whether you want to set up a single live query or a pack: ** *Query*: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query. Mapping ECS fields is optional. ++ +TIP: Use <> to dynamically add existing alert data to your query. + ** *Pack*: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. + TIP: Refer to {kibana-ref}/osquery.html#osquery-prebuilt-packs-queries[prebuilt packs] to learn about using and managing Elastic prebuilt packs. From ae30c946de8227413130a8430fd1acfc35149ece Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 9 Mar 2023 00:10:49 -0500 Subject: [PATCH 02/23] Fix ref --- docs/osquery/alerts-run-osquery.asciidoc | 2 +- docs/osquery/invest-guide-run-osquery.asciidoc | 2 +- docs/osquery/osquery-placeholder-fields.asciidoc | 15 ++++----------- docs/osquery/osquery-response-action.asciidoc | 2 +- 4 files changed, 7 insertions(+), 14 deletions(-) diff --git a/docs/osquery/alerts-run-osquery.asciidoc b/docs/osquery/alerts-run-osquery.asciidoc index 28e9ba6b35..0eed7c7b1d 100644 --- a/docs/osquery/alerts-run-osquery.asciidoc +++ b/docs/osquery/alerts-run-osquery.asciidoc @@ -24,7 +24,7 @@ NOTE: The host associated with the alert is automatically selected. You can spec . Specify the query or pack to run: ** *Query*: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query. Mapping ECS fields is optional. + -TIP: Use <> to dynamically add existing alert data to your query. +TIP: Use <> to dynamically add existing alert data to your query. ** *Pack*: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. + diff --git a/docs/osquery/invest-guide-run-osquery.asciidoc b/docs/osquery/invest-guide-run-osquery.asciidoc index 1580646e0c..9234cbd363 100644 --- a/docs/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/osquery/invest-guide-run-osquery.asciidoc @@ -25,7 +25,7 @@ NOTE: You can only add Osquery to investigation guides for custom rules because .. Add a descriptive label for the query; for example, `Search for executables`. .. Select a saved query or enter a new one. + -TIP: Use <> to dynamically add existing alert data to your query. +TIP: Use <> to dynamically add existing alert data to your query. .. Expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional). + diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 4872187b2b..3178cf508a 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,13 +1,9 @@ -[[placeholder-fields-osquery]] +[[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Use placeholder fields to dynamically inject existing alert and event data into Osquery queries. For example, TBD +Use placeholder fields to dynamically inject alert and event data into queries when you run them. All Osquery fields can be placeholder fields. You can use placeholder fields in single queries and query packs. -Placeholder fields use http://mustache.github.io/[mustache syntax] (`{{}}`) and can be used in: - -- <> -- <> -- <> +Placeholder fields use http://mustache.github.io/[mustache syntax] ({{}}) (for example {{host.name}}) and can be used in <> and <>. [[pf-invest-guide-osquery]] === Use placeholder fields in Investigation Guides @@ -19,7 +15,4 @@ You can add placeholder fields to Osquery queries within an <> to dynamically add existing alert data to your query. +TIP: Use <> to dynamically add existing alert data to your query. ** *Pack*: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. + From a8aff2cbdb13282b75f4cb3128c6d414fc8e4767 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 9 Mar 2023 00:29:36 -0500 Subject: [PATCH 03/23] Adding to index file --- docs/osquery/osquery-index.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/osquery/osquery-index.asciidoc b/docs/osquery/osquery-index.asciidoc index 6809066714..24eb1736c8 100644 --- a/docs/osquery/osquery-index.asciidoc +++ b/docs/osquery/osquery-index.asciidoc @@ -6,4 +6,6 @@ include::invest-guide-run-osquery.asciidoc[][leveloffset=+1] include::alerts-run-osquery.asciidoc[][leveloffset=+1] -include::view-osquery-results.asciidoc[][leveloffset=+1] \ No newline at end of file +include::view-osquery-results.asciidoc[][leveloffset=+1] + +include::osquery-placeholder-fields.asciidoc[][leveloffset=+1] \ No newline at end of file From 0ebd027d3cb31bb889e642c63921416cb7bec6ba Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 9 Mar 2023 14:27:25 -0500 Subject: [PATCH 04/23] Moar stuff --- .../osquery-placeholder-fields.asciidoc | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 3178cf508a..ff94530dd9 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,18 +1,20 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Use placeholder fields to dynamically inject alert and event data into queries when you run them. All Osquery fields can be placeholder fields. You can use placeholder fields in single queries and query packs. +Placeholder fields dynamically inject alert and event data into queries that you run. To create a placeholder field, you must wrap the field in double curly brackets (`{{}}`); you can use any field in an event or alert document. -Placeholder fields use http://mustache.github.io/[mustache syntax] ({{}}) (for example {{host.name}}) and can be used in <> and <>. +Placeholder fields work in single queries and query packs. If you are running a live query that has placeholder fields, _you must run it from an alert or event_. Also note that placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. -[[pf-invest-guide-osquery]] -=== Use placeholder fields in Investigation Guides +If the placeholder field is unable to find a value for the field in the alert or event's document, the query status will be `Skipped` and the following error message displays: -You can add placeholder fields to Osquery queries within an <> when creating or editing a rule. Make sure to run the Investigation Guide from alerts that are generated by the rule and not the rule itself. +TBD -[[pf-osq-response-action-osquery]] -=== Use placeholder fields in Osquery Response Actions +[float] +[[placeholder-field-example]] +=== Example query using a placeholder field +Here is an example query that uses the `{{host.name}}` placeholder field: -TBD +`SELECT * FROM os_version WHERE name = `{{host.name}} + +When this query is ran, it will select all columns from the `os_version` table where `name` is the value that's available in the alert or event's `host.name` field. - \ No newline at end of file From 4291351cbeeb5f1efcf45a57a8a8c45af68f8a36 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 9 Mar 2023 14:40:34 -0500 Subject: [PATCH 05/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index ff94530dd9..5275141737 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,7 +1,7 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Placeholder fields dynamically inject alert and event data into queries that you run. To create a placeholder field, you must wrap the field in double curly brackets (`{{}}`); you can use any field in an event or alert document. +Placeholder fields dynamically inject alert and event data into Osquery queries at runtime. Placeholder fields use mustache syntax and must be wrapped in double curly brackets (`{{}}`); you can turn any field in an event or alert document into a placeholder field. Placeholder fields work in single queries and query packs. If you are running a live query that has placeholder fields, _you must run it from an alert or event_. Also note that placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. From 84f7e2d93b551307f1bc554b5b9c91baf4611e9c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 12 Mar 2023 20:59:15 -0400 Subject: [PATCH 06/23] Revisions and revisions --- .../osquery-placeholder-fields.asciidoc | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 5275141737..b9d15bc3cd 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,20 +1,30 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Placeholder fields dynamically inject alert and event data into Osquery queries at runtime. Placeholder fields use mustache syntax and must be wrapped in double curly brackets (`{{}}`); you can turn any field in an event or alert document into a placeholder field. +Placeholder fields are fields that can be replaced with data about an alert or an event. You can use placeholder fields to turn hard-coded queries into dynamic and flexible ones. Any field within an event or alert document can be used as a placeholder field. Placeholder fields can be used in single queries or query packs. -Placeholder fields work in single queries and query packs. If you are running a live query that has placeholder fields, _you must run it from an alert or event_. Also note that placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. +[float] +[[placeholder-field-syntax]] +=== Placeholder field syntax + +Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{}}`), for example: `{{host.name}}`. + +Here is an example query using a placeholder field: -If the placeholder field is unable to find a value for the field in the alert or event's document, the query status will be `Skipped` and the following error message displays: +`SELECT * FROM os_version WHERE name = `{{host.name}}` -TBD +When the query is ran, the `{{host.name}}` field will be replaced with the value that's stored in the alert or event's `host.name` field. [float] -[[placeholder-field-example]] -=== Example query using a placeholder field -Here is an example query that uses the `{{host.name}}` placeholder field: +[[placeholder-field-run-query]] +=== Run queries with placeholder fields -`SELECT * FROM os_version WHERE name = `{{host.name}} +Queries with placeholder fields _must_ be run against an alert or an event. If a placeholder field can't find an alert or event field value, the query status will be `Skipped`. -When this query is ran, it will select all columns from the `os_version` table where `name` is the value that's available in the alert or event's `host.name` field. +Placeholder fields are supported for the following features: +* <> +* <> ++ +NOTE: Placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. +* <> From 20d3d0cf664098e0b2fbabd18001d4fc9e9f8136 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 12 Mar 2023 21:05:37 -0400 Subject: [PATCH 07/23] Clean up --- docs/osquery/osquery-placeholder-fields.asciidoc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index b9d15bc3cd..3fc95f7751 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,15 +1,13 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Placeholder fields are fields that can be replaced with data about an alert or an event. You can use placeholder fields to turn hard-coded queries into dynamic and flexible ones. Any field within an event or alert document can be used as a placeholder field. Placeholder fields can be used in single queries or query packs. +Placeholder fields are fields that can be replaced with data about an alert or an event. You can use placeholder fields to turn hard-coded queries into dynamic, flexible ones. Any field within an event or alert document can be used as a placeholder field. Placeholder fields work in single queries or query packs. [float] [[placeholder-field-syntax]] === Placeholder field syntax -Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{}}`), for example: `{{host.name}}`. - -Here is an example query using a placeholder field: +Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{}}`). In the following example query, the `{{host.name}}` placeholder field is being used: `SELECT * FROM os_version WHERE name = `{{host.name}}` @@ -19,11 +17,11 @@ When the query is ran, the `{{host.name}}` field will be replaced with the value [[placeholder-field-run-query]] === Run queries with placeholder fields -Queries with placeholder fields _must_ be run against an alert or an event. If a placeholder field can't find an alert or event field value, the query status will be `Skipped`. +Queries with placeholder fields _must_ be run against an alert or event. If a placeholder field can't find an alert or event value, the query status will be `Skipped`. Placeholder fields are supported for the following features: -* <> +* <> * <> + NOTE: Placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. From adb1fa962e7d1c7413c2a6b65c26e30bc83b4f5e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 19 Mar 2023 13:17:36 -0400 Subject: [PATCH 08/23] Re-org --- .../osquery-placeholder-fields.asciidoc | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 3fc95f7751..bddde14062 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,28 +1,30 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Placeholder fields are fields that can be replaced with data about an alert or an event. You can use placeholder fields to turn hard-coded queries into dynamic, flexible ones. Any field within an event or alert document can be used as a placeholder field. Placeholder fields work in single queries or query packs. +Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass in existing alert or event data. Placeholder fields function like replaceable parameters. You can use placeholder fields to build flexible and re-usable queries. + +Placeholder fields work in single queries or query packs. They are also supported in the following features: + +* <> +* <> ++ +NOTE: Placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. +* <> [float] [[placeholder-field-syntax]] -=== Placeholder field syntax +=== Placeholder field syntax and requirements -Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{}}`). In the following example query, the `{{host.name}}` placeholder field is being used: - -`SELECT * FROM os_version WHERE name = `{{host.name}}` +Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{}}`). You can use any field within an event or alert document as a placeholder field. -When the query is ran, the `{{host.name}}` field will be replaced with the value that's stored in the alert or event's `host.name` field. +Queries with placeholder fields _must_ be run against an alert or event. If a placeholder field can't find an alert or event value, the query status will be `Skipped`. [float] -[[placeholder-field-run-query]] -=== Run queries with placeholder fields +[[placeholder-field-example]] +==== Example query with a placeholder field -Queries with placeholder fields _must_ be run against an alert or event. If a placeholder field can't find an alert or event value, the query status will be `Skipped`. +In the following query, the `{{host.name}}` placeholder field is being used: -Placeholder fields are supported for the following features: +`SELECT * FROM os_version WHERE name = `{{host.name}}` -* <> -* <> -+ -NOTE: Placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. -* <> +When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the {{host.name}} placeholder field. \ No newline at end of file From 1346444127e8ae51fcfb4ff5f958c47c4e170290 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 19 Mar 2023 13:41:11 -0400 Subject: [PATCH 09/23] Style fix --- docs/osquery/osquery-placeholder-fields.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index bddde14062..d8bf88078a 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,7 +1,7 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass in existing alert or event data. Placeholder fields function like replaceable parameters. You can use placeholder fields to build flexible and re-usable queries. +Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like replaceable parameters. You can use placeholder fields to build flexible and re-usable queries. Placeholder fields work in single queries or query packs. They are also supported in the following features: @@ -27,4 +27,4 @@ In the following query, the `{{host.name}}` placeholder field is being used: `SELECT * FROM os_version WHERE name = `{{host.name}}` -When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the {{host.name}} placeholder field. \ No newline at end of file +When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the `{{host.name}}` placeholder field. \ No newline at end of file From 5cc3ce70df04253de8218f7dc0ddbd887b062dae Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 19 Mar 2023 13:42:49 -0400 Subject: [PATCH 10/23] Add missing single qoute --- docs/osquery/osquery-placeholder-fields.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index d8bf88078a..47d5372076 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -23,8 +23,8 @@ Queries with placeholder fields _must_ be run against an alert or event. If a pl [[placeholder-field-example]] ==== Example query with a placeholder field -In the following query, the `{{host.name}}` placeholder field is being used: +In the following query, the `{{host.name}}` placeholder field is used: -`SELECT * FROM os_version WHERE name = `{{host.name}}` +`SELECT * FROM os_version WHERE name = `{{host.name}}`` When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the `{{host.name}}` placeholder field. \ No newline at end of file From 5536eb343de45790489a7fa83644757abaed3af0 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:44:15 -0400 Subject: [PATCH 11/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 47d5372076..ed565d24ce 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,7 +1,7 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like replaceable parameters. You can use placeholder fields to build flexible and re-usable queries. +Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and re-usable queries. Placeholder fields work in single queries or query packs. They are also supported in the following features: From af725b50c0380b9c894561e1da1fce8b427117ea Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:44:31 -0400 Subject: [PATCH 12/23] Update docs/osquery/osquery-placeholder-fields.asciidoc Co-authored-by: Joe Peeples --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index ed565d24ce..6a8356f5f0 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -15,7 +15,7 @@ NOTE: Placeholder fields within an Osquery Response Action query will only work [[placeholder-field-syntax]] === Placeholder field syntax and requirements -Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{}}`). You can use any field within an event or alert document as a placeholder field. +Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{example.field}}`). You can use any field within an event or alert document as a placeholder field. Queries with placeholder fields _must_ be run against an alert or event. If a placeholder field can't find an alert or event value, the query status will be `Skipped`. From 99353d39c5d87e9d20b12c35e2c1d565e0694f4b Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:44:47 -0400 Subject: [PATCH 13/23] Update docs/osquery/osquery-placeholder-fields.asciidoc Co-authored-by: Joe Peeples --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 6a8356f5f0..30cddb5358 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -3,7 +3,7 @@ Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and re-usable queries. -Placeholder fields work in single queries or query packs. They are also supported in the following features: +Placeholder fields work in single queries or query packs. They're also supported in the following features: * <> * <> From f6b2c0b4b8b1210cd3da10affa30b9b299137c2d Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:44:53 -0400 Subject: [PATCH 14/23] Update docs/osquery/osquery-placeholder-fields.asciidoc Co-authored-by: Joe Peeples --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 30cddb5358..dbe885f3be 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -23,7 +23,7 @@ Queries with placeholder fields _must_ be run against an alert or event. If a pl [[placeholder-field-example]] ==== Example query with a placeholder field -In the following query, the `{{host.name}}` placeholder field is used: +The following query uses the `{{host.name}}` placeholder field: `SELECT * FROM os_version WHERE name = `{{host.name}}`` From 77f133e4223a6c07fbc1480cbf0fcfe711895632 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:45:03 -0400 Subject: [PATCH 15/23] Update docs/osquery/osquery-placeholder-fields.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index dbe885f3be..705bf1f57d 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -6,7 +6,7 @@ Instead of hard-coding alert and event values into Osquery queries, you can use Placeholder fields work in single queries or query packs. They're also supported in the following features: * <> -* <> +* <> + NOTE: Placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. * <> From cb52ba47b33c986d36c36a9680d71ad584ad0184 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:49:04 -0400 Subject: [PATCH 16/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 705bf1f57d..92b6f69db8 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -8,7 +8,6 @@ Placeholder fields work in single queries or query packs. They're also supported * <> * <> + -NOTE: Placeholder fields within an Osquery Response Action query will only work if the rule has generated alerts. * <> [float] From 0479221e58979e95176f05bc2970ddc5e2962acf Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 21 Mar 2023 17:51:01 -0400 Subject: [PATCH 17/23] Update docs/osquery/osquery-response-action.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/osquery/osquery-response-action.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-response-action.asciidoc b/docs/osquery/osquery-response-action.asciidoc index 35fd266623..3083002ca2 100644 --- a/docs/osquery/osquery-response-action.asciidoc +++ b/docs/osquery/osquery-response-action.asciidoc @@ -28,7 +28,7 @@ You can add Osquery Response Actions to new or existing custom query rules. Quer . Specify whether you want to set up a single live query or a pack: ** *Query*: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query. Mapping ECS fields is optional. + -TIP: Use <> to dynamically add existing alert data to your query. +TIP: You can use <> to dynamically add alert data to your query. ** *Pack*: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. + From 5f4d3dad8de83b7c064480b6002da3b4c434d5fb Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 27 Mar 2023 13:18:34 -0400 Subject: [PATCH 18/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 92b6f69db8..7637a40637 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -26,4 +26,4 @@ The following query uses the `{{host.name}}` placeholder field: `SELECT * FROM os_version WHERE name = `{{host.name}}`` -When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the `{{host.name}}` placeholder field. \ No newline at end of file +When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the `{{host.os.name}}` placeholder field. \ No newline at end of file From 2642da8dd7705c4efb1ac1dd7d359cb8f4b9c911 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 27 Mar 2023 13:18:48 -0400 Subject: [PATCH 19/23] Update docs/osquery/osquery-placeholder-fields.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 7637a40637..c91fc98981 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -1,7 +1,7 @@ [[osquery-placeholder-fields]] == Use placeholder fields in Osquery queries -Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and re-usable queries. +Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and reusable queries. Placeholder fields work in single queries or query packs. They're also supported in the following features: From e55f9ff09db1e51b8dfa63e24a6456e32ae885a3 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 27 Mar 2023 13:19:45 -0400 Subject: [PATCH 20/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index c91fc98981..8546f6e9c2 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -26,4 +26,4 @@ The following query uses the `{{host.name}}` placeholder field: `SELECT * FROM os_version WHERE name = `{{host.name}}`` -When you run the query, the value that's stored in the alert or event's `host.name` field will be passed into the `{{host.os.name}}` placeholder field. \ No newline at end of file +When you run the query, the value that's stored in the alert or event's `host.name` field will be transferred to the `{{host.os.name}}` placeholder field. \ No newline at end of file From bc3115dc060faf9c9d260c7a6c76dedab46f1a4d Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 27 Mar 2023 13:20:01 -0400 Subject: [PATCH 21/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 8546f6e9c2..f87863e0dd 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -24,6 +24,6 @@ Queries with placeholder fields _must_ be run against an alert or event. If a pl The following query uses the `{{host.name}}` placeholder field: -`SELECT * FROM os_version WHERE name = `{{host.name}}`` +`SELECT * FROM os_version WHERE name = `{{host.os.name}}`` When you run the query, the value that's stored in the alert or event's `host.name` field will be transferred to the `{{host.os.name}}` placeholder field. \ No newline at end of file From 3ca7b16cd7eed755957a5b3d7c60421518b4a9ad Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 28 Mar 2023 11:56:51 -0400 Subject: [PATCH 22/23] Update docs/osquery/osquery-placeholder-fields.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index f87863e0dd..90b84c48b7 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -16,7 +16,7 @@ Placeholder fields work in single queries or query packs. They're also supported Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{example.field}}`). You can use any field within an event or alert document as a placeholder field. -Queries with placeholder fields _must_ be run against an alert or event. If a placeholder field can't find an alert or event value, the query status will be `Skipped`. +Queries with placeholder fields can only run against alerts or events. Otherwise, they will lack the necessary values and be `Skipped`. [float] [[placeholder-field-example]] From 2d8d1be807b8db602eaffd662bef5147a7dead61 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 28 Mar 2023 12:43:18 -0400 Subject: [PATCH 23/23] Update docs/osquery/osquery-placeholder-fields.asciidoc --- docs/osquery/osquery-placeholder-fields.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/osquery-placeholder-fields.asciidoc b/docs/osquery/osquery-placeholder-fields.asciidoc index 90b84c48b7..ea1c7ea117 100644 --- a/docs/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/osquery/osquery-placeholder-fields.asciidoc @@ -16,7 +16,7 @@ Placeholder fields work in single queries or query packs. They're also supported Placeholder fields use http://mustache.github.io/[mustache syntax] and must be wrapped in double curly brackets (`{{example.field}}`). You can use any field within an event or alert document as a placeholder field. -Queries with placeholder fields can only run against alerts or events. Otherwise, they will lack the necessary values and be `Skipped`. +Queries with placeholder fields can only run against alerts or events. Otherwise, they will lack the necessary values and the query status will be `error`. [float] [[placeholder-field-example]]